generalized tls_eap_t to support EAP_TNC wrapping the TNC_IF_TNCCS protocol

src/libcharon/plugins/eap_tls/eap_tls.c

@@ -123,6 +123,7 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 {
 	private_eap_tls_t *this;
 	size_t frag_size;
+	tls_t *tls;
 
 	INIT(this,
 		.public = {
@@ -139,8 +140,13 @@ static eap_tls_t *eap_tls_create(identification_t *server,
 
 	frag_size = lib->settings->get_int(lib->settings,
 					"charon.plugins.eap-tls.fragment_size", MAX_FRAGMENT_LEN);
-	this->tls_eap = tls_eap_create(EAP_TLS, is_server, server, peer,
-								   NULL, frag_size);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TLS, NULL);
+	if (!tls)
+	{
+		free(this);
+		return NULL;
+	}
+	this->tls_eap = tls_eap_create(EAP_TLS, tls, frag_size);
 	if (!this->tls_eap)
 	{
 		free(this);

src/libcharon/plugins/eap_tnc/Makefile.am

@@ -1,6 +1,6 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
@@ -8,9 +8,11 @@ if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-eap-tnc.la
 else
 plugin_LTLIBRARIES = libstrongswan-eap-tnc.la
+libstrongswan_eap_tnc_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
 endif
 
 libstrongswan_eap_tnc_la_SOURCES = \
-	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c
+	eap_tnc_plugin.h eap_tnc_plugin.c eap_tnc.h eap_tnc.c \
+	tnc_if_tnccs.h tnc_if_tnccs.c
 
 libstrongswan_eap_tnc_la_LDFLAGS = -module -avoid-version

src/libcharon/plugins/eap_tnc/eap_tnc.c

@@ -14,6 +14,9 @@
  */
 
 #include "eap_tnc.h"
+#include "tnc_if_tnccs.h"
+
+#include <tls_eap.h>
 
 #include <daemon.h>
 #include <library.h>
@@ -31,84 +34,56 @@ struct private_eap_tnc_t {
 	eap_tnc_t public;
 
 	/**
-	 * ID of the server
+	 * Number of EAP-TNC messages processed so far
 	 */
-	identification_t *server;
+	int processed;
 
 	/**
-	 * ID of the peer
+	 * TLS stack, wrapped by EAP helper
 	 */
-	identification_t *peer;
+	tls_eap_t *tls_eap;
 };
 
-/**
- * Flags of an EAP-TNC message
- */
-typedef enum {
-	EAP_TNC_LENGTH = (1<<7),
-	EAP_TNC_MORE_FRAGS = (1<<6),
-	EAP_TNC_START = (1<<5),
-	EAP_TNC_DH = (1<<4),
-	EAP_TNC_VERSION = 0x07
-} eap_tnc_flags_t;
 
-/**
- * EAP-TNC packet format
- */
-typedef struct __attribute__((packed)) {
-	u_int8_t code;
-	u_int8_t identifier;
-	u_int16_t length;
-	u_int8_t type;
-	u_int8_t flags;
-} eap_tnc_packet_t;
+/** Maximum number of EAP-TNC messages/fragments allowed */
+#define MAX_MESSAGE_COUNT 2 
+/** Default size of a EAP-TNC fragment */
+#define MAX_FRAGMENT_LEN 50000
 
-METHOD(eap_method_t, initiate_peer, status_t,
+METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
-	/* peer never initiates */
+	chunk_t data;
+
+	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+		return NEED_MORE;
+	}
 	return FAILED;
 }
 
-METHOD(eap_method_t, initiate_server, status_t,
-	private_eap_tnc_t *this, eap_payload_t **out)
-{
-	return NEED_MORE;
-}
-
-METHOD(eap_method_t, process_peer, status_t,
+METHOD(eap_method_t, process, status_t,
 	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
 {
-	eap_tnc_packet_t *pkt;
+	status_t status;
 	chunk_t data;
 
-	data = in->get_data(in);
-
-	pkt = (eap_tnc_packet_t*)data.ptr;
-	if (data.len < sizeof(eap_tnc_packet_t) ||
-		untoh16(&pkt->length) != data.len)
+	if (++this->processed > MAX_MESSAGE_COUNT)
 	{
-		DBG1(DBG_IKE, "invalid EAP-TNC packet length");
+		DBG1(DBG_IKE, "EAP-TNC packet count exceeded (%d > %d)",
+			 this->processed, MAX_MESSAGE_COUNT);
 		return FAILED;
 	}
-	if (pkt->flags & EAP_TNC_START)
-	{
-		DBG1(DBG_IKE, "EAP-TNC version is v%u", pkt->flags & EAP_TNC_VERSION);
-	}
-	*out = eap_payload_create_nak(in->get_identifier(in));
-
-	return NEED_MORE;
-}
-
-METHOD(eap_method_t, process_server, status_t,
-	private_eap_tnc_t *this, eap_payload_t *in, eap_payload_t **out)
-{
-	chunk_t data;
-
 	data = in->get_data(in);
-	DBG2(DBG_IKE, "received EAP-TNC data: %B", &data);
-
-	return SUCCESS;
+	status = this->tls_eap->process(this->tls_eap, data, &data);
+	if (status == NEED_MORE)
+	{
+		*out = eap_payload_create_data(data);
+		free(data.ptr);
+	}
+	return status;
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
@@ -121,6 +96,11 @@ METHOD(eap_method_t, get_type, eap_type_t,
 METHOD(eap_method_t, get_msk, status_t,
 	private_eap_tnc_t *this, chunk_t *msk)
 {
+	*msk = this->tls_eap->get_msk(this->tls_eap);
+	if (msk->len)
+	{
+		return SUCCESS;
+	}
 	return FAILED;
 }
 
@@ -133,58 +113,58 @@ METHOD(eap_method_t, is_mutual, bool,
 METHOD(eap_method_t, destroy, void,
 	private_eap_tnc_t *this)
 {
-	this->peer->destroy(this->peer);
-	this->server->destroy(this->server);
+	this->tls_eap->destroy(this->tls_eap);
 	free(this);
 }
 
-/*
- * See header
+/**
+ * Generic private constructor
  */
-eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer)
+static eap_tnc_t *eap_tnc_create(identification_t *server,
+								 identification_t *peer, bool is_server)
 {
 	private_eap_tnc_t *this;
+	size_t frag_size;
+	tls_t *tnc_if_tnccs;
 
 	INIT(this,
 		.public = {
 			.eap_method = {
-				.initiate = _initiate_server,
-				.process = _process_server,
+				.initiate = _initiate,
+				.process = _process,
 				.get_type = _get_type,
 				.is_mutual = _is_mutual,
 				.get_msk = _get_msk,
 				.destroy = _destroy,
 			},
 		},
-		.peer = peer->clone(peer),
-		.server = server->clone(server),
 	);
 
+	frag_size = lib->settings->get_int(lib->settings,
+					"charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN);
+	tnc_if_tnccs = tnc_if_tnccs_create(is_server, TLS_PURPOSE_EAP_TNC);
+	if (!tnc_if_tnccs)
+	{
+		free(this);
+		return NULL;
+	}
+	this->tls_eap = tls_eap_create(EAP_TNC, tnc_if_tnccs, frag_size);
+	if (!this->tls_eap)
+	{
+		free(this);
+		return NULL;
+	}
 	return &this->public;
 }
 
-/*
- * See header
- */
-eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer)
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+								 identification_t *peer)
 {
-	private_eap_tnc_t *this;
-
-	INIT(this,
-		.public = {
-			.eap_method = {
-				.initiate = _initiate_peer,
-				.process = _process_peer,
-				.get_type = _get_type,
-				.is_mutual = _is_mutual,
-				.get_msk = _get_msk,
-				.destroy = _destroy,
-			},
-		},
-		.peer = peer->clone(peer),
-		.server = server->clone(server),
-	);
-
-	return &this->public;
+	return eap_tnc_create(server, peer, TRUE);
 }
 
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+							   identification_t *peer)
+{
+	return eap_tnc_create(server, peer, FALSE);
+}

src/libcharon/plugins/eap_tnc/tnc_if_tnccs.c

@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_if_tnccs.h"
+
+#include <debug.h>
+
+typedef struct private_tnc_if_tnccs_t private_tnc_if_tnccs_t;
+
+/**
+ * Private data of a tnc_if_tnccs_t object.
+ */
+struct private_tnc_if_tnccs_t {
+
+	/**
+	 * Public tls_t interface.
+	 */
+	tls_t public;
+
+	/**
+	 * Role this TNC IF-TNCCS stack acts as.
+	 */
+	bool is_server;
+
+	/**
+	 * TLS stack purpose, as given to constructor
+	 */
+	tls_purpose_t purpose;
+};
+
+METHOD(tls_t, process, status_t,
+	private_tnc_if_tnccs_t *this, void *buf, size_t buflen)
+{
+	/* TODO */
+	return NEED_MORE;
+}
+
+METHOD(tls_t, build, status_t,
+	private_tnc_if_tnccs_t *this, void *buf, size_t *buflen, size_t *msglen)
+{
+	char output[] = "Hello World";
+	size_t len = strlen(output);
+	
+	/* TODO */
+	*buflen = len;
+	*msglen = len;
+	memcpy(buf, output, len);
+
+	return ALREADY_DONE;
+}
+
+METHOD(tls_t, is_server, bool,
+	private_tnc_if_tnccs_t *this)
+{
+	return this->is_server;
+}
+
+METHOD(tls_t, get_purpose, tls_purpose_t,
+	private_tnc_if_tnccs_t *this)
+{
+	return this->purpose;
+}
+
+METHOD(tls_t, is_complete, bool,
+	private_tnc_if_tnccs_t *this)
+{
+	/* TODO */
+	return TRUE;
+}
+
+METHOD(tls_t, get_eap_msk, chunk_t,
+	private_tnc_if_tnccs_t *this)
+{
+	return chunk_empty;
+}
+
+METHOD(tls_t, destroy, void,
+	private_tnc_if_tnccs_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+tls_t *tnc_if_tnccs_create(bool is_server, tls_purpose_t purpose)
+{
+	private_tnc_if_tnccs_t *this;
+
+	switch (purpose)
+	{
+		case TLS_PURPOSE_EAP_TNC:
+			break;
+		default:
+			return NULL;
+	}
+
+	INIT(this,
+		.public = {
+			.process = _process,
+			.build = _build,
+			.is_server = _is_server,
+			.get_purpose = _get_purpose,
+			.is_complete = _is_complete,
+			.get_eap_msk = _get_eap_msk,
+			.destroy = _destroy,
+		},
+		.is_server = is_server,
+		.purpose = purpose,
+	);
+
+	return &this->public;
+}

src/libcharon/plugins/eap_tnc/tnc_if_tnccs.h

@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_if_tnccs tnc_if_tnccs
+ * @{ @ingroup tnc_if_tnccs
+ */
+
+#ifndef TNC_IF_TNCCS_H_
+#define TNC_IF_TNCCS_H_
+
+#include <library.h>
+
+#include <tls.h>
+
+/**
+ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
+ *
+ * @param is_server			TRUE to act as server, FALSE for client
+ * @param purpose			purpose this TLS stack instance is used for
+ * @return					TNC_IF_TNCCS stack
+ */
+tls_t *tnc_if_tnccs_create(bool is_server, tls_purpose_t purpose);
+
+#endif /** TNC_IF_TNCCS_H_ @}*/

src/libcharon/plugins/eap_ttls/eap_ttls.c

@@ -126,6 +126,7 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 {
 	private_eap_ttls_t *this;
 	size_t frag_size;
+	tls_t *tls;
 
 	INIT(this,
 		.public = {
@@ -146,8 +147,13 @@ static eap_ttls_t *eap_ttls_create(identification_t *server,
 	}
 	frag_size = lib->settings->get_int(lib->settings,
 					"charon.plugins.eap-ttls.fragment_size", MAX_FRAGMENT_LEN);
-	this->tls_eap = tls_eap_create(EAP_TTLS, is_server, server, peer,
-								   application, frag_size);
+	tls = tls_create(is_server, server, peer, TLS_PURPOSE_EAP_TTLS, application);
+	if (!tls)
+	{
+		free(this);
+		return NULL;
+	}
+	this->tls_eap = tls_eap_create(EAP_TTLS, tls, frag_size);
 	if (!this->tls_eap)
 	{
 		application->destroy(application);

src/libtls/tls.h

@@ -98,6 +98,8 @@ enum tls_purpose_t {
 	TLS_PURPOSE_EAP_TTLS,
 	/** non-EAP TLS */
 	TLS_PURPOSE_GENERIC,
+	/** EAP binding for TNC */
+	TLS_PURPOSE_EAP_TNC
 };
 
 /**

src/libtls/tls_eap.c

@@ -71,6 +71,9 @@ typedef enum {
 	EAP_TTLS_VERSION = (0x07),
 } eap_tls_flags_t;
 
+#define EAP_TTLS_SUPPORTED_VERSION	0
+#define EAP_TNC_SUPPORTED_VERSION	1
+
 /**
  * EAP-TLS/TTLS packet format
  */
@@ -92,6 +95,17 @@ METHOD(tls_eap_t, initiate, status_t,
 			.code = EAP_REQUEST,
 			.flags = EAP_TLS_START,
 		};
+		switch (this->type)
+		{
+			case EAP_TTLS:
+				pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
+				break;
+			case EAP_TNC:
+				pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
+				break;
+			default:
+				break;
+		}
 		htoun16(&pkt.length, sizeof(eap_tls_packet_t));
 		do
 		{	/* start with non-zero random identifier */
@@ -154,9 +168,21 @@ static status_t build_pkt(private_tls_eap_t *this,
 	pkt->type = this->type;
 	pkt->flags = 0;
 
+	switch (this->type)
+	{
+		case EAP_TTLS:
+			pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
+			break;
+		case EAP_TNC:
+			pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
+			break;
+		default:
+			break;
+	}
+
 	if (this->first_fragment)
 	{
-		pkt->flags = EAP_TLS_LENGTH;
+		pkt->flags |= EAP_TLS_LENGTH;
 		len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
 		status = this->tls->build(this->tls, buf + sizeof(eap_tls_packet_t) +
 								  sizeof(u_int32_t), &len, &reclen);
@@ -235,9 +261,9 @@ METHOD(tls_eap_t, process, status_t,
 	}
 	if (pkt->flags & EAP_TLS_START)
 	{
-		if (this->type == EAP_TTLS)
+		if (this->type == EAP_TTLS || this->type == EAP_TNC)
 		{
-			DBG1(DBG_TLS, "EAP-TTLS version is v%u",
+			DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
 				 pkt->flags & EAP_TTLS_VERSION);
 		}
 	}
@@ -295,24 +321,9 @@ METHOD(tls_eap_t, destroy, void,
 /**
  * See header
  */
-tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
-						  identification_t *server, identification_t *peer,
-						  tls_application_t *application, size_t frag_size)
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size)
 {
 	private_tls_eap_t *this;
-	tls_purpose_t purpose;
-
-	switch (type)
-	{
-		case EAP_TLS:
-			purpose = TLS_PURPOSE_EAP_TLS;
-			break;
-		case EAP_TTLS:
-			purpose = TLS_PURPOSE_EAP_TTLS;
-			break;
-		default:
-			return NULL;
-	};
 
 	INIT(this,
 		.public = {
@@ -322,15 +333,11 @@ tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
 			.destroy = _destroy,
 		},
 		.type = type,
-		.is_server = is_server,
+		.is_server = tls->is_server(tls),
 		.first_fragment = TRUE,
 		.frag_size = frag_size,
-		.tls = tls_create(is_server, server, peer, purpose, application),
+		.tls = tls,
 	);
-	if (!this->tls)
-	{
-		free(this);
-		return NULL;
-	}
+
 	return &this->public;
 }

src/libtls/tls_eap.h

@@ -25,7 +25,7 @@ typedef struct tls_eap_t tls_eap_t;
 
 #include <eap/eap.h>
 
-#include "tls_application.h"
+#include "tls.h"
 
 /**
  * TLS over EAP helper, as used by EAP-TLS and EAP-TTLS.
@@ -33,7 +33,7 @@ typedef struct tls_eap_t tls_eap_t;
 struct tls_eap_t {
 
 	/**
-	 * Initiate TLS over EAP exchange (as client).
+	 * Initiate TLS/TTLS/TNC over EAP exchange (as client).
 	 *
 	 * @param out			allocated EAP packet data to send
 	 * @return
@@ -43,7 +43,7 @@ struct tls_eap_t {
 	status_t (*initiate)(tls_eap_t *this, chunk_t *out);
 
 	/**
-	 * Process a received EAP-TLS/TTLS packet, create response.
+	 * Process a received EAP-TLS/TTLS/TNC packet, create response.
 	 *
 	 * @param in			EAP packet data to process
 	 * @param out			allocated EAP packet data to send
@@ -71,14 +71,9 @@ struct tls_eap_t {
  * Create a tls_eap instance.
  *
  * @param type				EAP type, EAP-TLS or EAP-TTLS
- * @param is_server			role
- * @param server			server identity
- * @param peer				peer identity, NULL to omit peer authentication
- * @param application		TLS application layer, if any
+ * @param tls				TLS implementation
  * @param frag_size			maximum size of a TLS fragment we send
  */
-tls_eap_t *tls_eap_create(eap_type_t type, bool is_server,
-						  identification_t *server, identification_t *peer,
-						  tls_application_t *application, size_t frag_size);
+tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size);
 
 #endif /** TLS_EAP_H_ @}*/